Privacy and Data Protection

Womble Carlyle's "Privacy Bulletin" highlights select developments that might be of interest to entities that collect or use personally identifiable information. Protecting a person's privacy is a challenge to businesses, universities, and all other entities that collect personal information, particularly given the proliferation of personally identifiable information contained within consumer and employee records. Womble Carlyle issues its Privacy Bulletin twice a month.

Tuesday, July 5, 2016, 5:34 PM

Future of U.K. Data Protection Regs Unclear

As incoming British Prime Minister Theresa May assembles her Cabinet, including a newly appointed Secretary of State for Exiting the European Union following the June 23, 2016 Brexit referendum outcome, the U.K.'s march forward to leave the EU does create uncertainty about whether the U.K. will continue to follow EU data protection laws, including implementation of the EU's new General Data Protection Regulation (“GDPR”), scheduled to become effective on May 25, 2018. Furthermore, the recently negotiated U.S./EU Privacy Shield, approved by the European Commission on July 12, 2016 as a replacement privacy regime for the EU-invalidated Safe Harbor, may face an uncertain future in the U.K. as well if it is not an available framework for multinational businesses to do business in the U.K.

For example, Microsoft stated in an open letter in May, 2016 to its 5000 U.K. employees before the Brexit vote that the U.K.'s EU membership was one of the factors that attracted Microsoft to make investments in the U.K., including in a new data center. One important future signal will be whether the U.K. opts to join the European Economic Area, or otherwise maintains significant trade with the EU, in which case the U.K. would necessarily need to comply with EU privacy regulations. If not, the U.K. would still need to develop its own data protection network. However, until the British Government formulates its exit strategy from the EU, including passage of new U.K. privacy and other laws to replace those under the EU regime, and has its team in place to execute on that strategy, formal notice to the EU of Britain's exit is not likely to occur. Because at least two years notice must be given before the U.K. can formally exit the EU under Article 50 of the Treaty of Lisbon, both the GDPR (in May 2018) and the Privacy Shield are likely to be in place in the U.K. before an actual exit from the EU occurs. And many observers believe that any law that Britain adopts will likely be similar to the GDPR, since a non-member country's data protection regime must be deemed “adequate” by the EU for businesses in that non-member country to exchange data and to do business within the EU.

In short, the status quo in the U.K. will not change in the short term, and because Brexit won’t likely be completed for years, the Privacy Shield will likely govern personal data transfers from the U.K. to the U.S. well before actual withdrawal is completed. It also may take years to negotiate and complete agreements, and enactment of alternative U.K. data privacy laws.